Pages

Tuesday, May 30, 2017

One of the scripts I've used a lot over the past few years is the Test-ExchangeServerHealth.ps1 PowerShell health check script written by Paul Cunningham. The red, yellow and green colour coded report generated by this script allows me to easily review the status of critical Exchange services on devices with small viewing space such as a smartphone. If you are unfamiliar with this script, further details about the script can be found in the following links:

This script could be scheduled to automatically run via the Task Scheduler and this post serves to provide the configuration for the action which sometimes can be difficult to find. Note that I won’t go into the details of creating the scheduled task as that could be found in one of my previous posts here:

Wednesday, May 17, 2017

It has been a busy week for most of my clients after the media published articles indicating that major organizations such as the NHS were infected by the WannaCry ransomware cryptoworm. Although a patch for this vulnerability was released as early as March 2017, some of my clients either had a portion of their servers unpatched or all of them since I’ve found it is not uncommon for companies to miss months of patching due to various business related reasons. There has been a lot of information made available since last week but I’ve found that there are bits and pieces of important ones scattered on different sites so I wanted to write this post to include the information provided by Microsoft that I found useful when assisting clients to determine whether they are protected.

The Microsoft First Patch Released

The first available patch Microsoft made available for this vulnerability was released in March 2017 known as Security Update MS17-010, SMBv1 and information about this could be found at the following Security TechCenter bulletin:

Installing the patch above would protect the cryptoworm from spreading to other servers via the legacy SMBv1 protocol and an alternative workaround would be to disable SMBv1 all together which Microsoft recommends to do if the customer was running Windows Vista or later.

Versions of Windows Affected

All version of Windows are affected by the vulnerability and the following table provides the KBs required to protect the operating system:

If one of updates is installed on the system, the system is protected.

The vulnerability has been fixed in the March 2017 Security update but the March, April and May rollup also includes all previous updates including March security update)

Operating System

2017 March (Security Only)

2016 March (Monthly Quality)

2016 April (Monthly Quality)

2017 May (Monthly Quality)

Independent Update

Windows XP / Windows Server 2003 / Windows 8

NA

NA

NA

NA

KB4012598

Windows Vista / Windows Server 2008

NA

NA

NA

NA

KB4012598

Windows 7 / Windows Server 2008 R2

KB4012212

KB4012215

KB4015549

KB4019264

NA

Windows Server 2012

KB4012214

KB4012217

KB4015551

KB4019216

NA

Windows 8.1 / Windows Server 2012 R2

KB4012213

KB4012216

KB4015550

KB4019215

NA

Windows 10 1507 / Windows 10 LTSB 2015

NA

KB4012606

KB4015221

KB4019474

NA

Windows 10 1511

NA

KB4013198

KB4015219

KB4019473

NA

Windows 10 1607 / Windows 10 LTSB 2016 / Windows Server 2016

NA

KB4015438

KB4015217

KB4019472

NA

Determining whether patch is installed

On a Windows Server 2012 or 2008 server, you can use the wmic qfe list command to determine whether the patch is installed. The following are the commands to execute on a Windows Server 2012 R2 or Windows 8.1 operating system when determining whether the required patch is installed:

wmic qfe list | find "KB4012213"

wmic qfe list | find "KB4012216"

wmic qfe list | find "KB4015550"

wmic qfe list | find "KB4019215"

**Note that if the KB after the find is case sensitive so use capital letters.

If the patches are not installed then no output would be written as shown in the following screenshot:

If the patch is found then the following output will be displayed:

Patching the Operating System Vulnerability

As mentioned in the Versions of Windows Affected section, the operating system is protected as long as one of the patches is installed so it is always advisable to install the latest rollup package rather than any of the previous rollups or security patch only. However, if downloading a 200MB+ rollup package for a Windows Server 2012 operating system:

Tuesday, May 9, 2017

You’re attempting to log into VMware Horizon View where 2 factor authentication is enabled and you use your email address or UPN as the User name:

However, you notice that you are unable to change the Domain field as the drop down box is greyed out and locked:

Solution

I am unsure as to whether this problem is specific to the SecurEnvoy 2 factor authentication software this environment had but a way to get around this is to use the format domain\username for the User name field instead:

Using this login format will unlock the domain drop down box so you can now select the domain:

Friday, May 5, 2017

I’ve been asked several times in the past about how to block subdirectories when a website is published with a NetScaler and the most recent request was for blocking Exchange Server 2016 /ecp access. As most Exchange administrators are aware, Exchange 2013 and 2016 allows an administrator to manage Exchange via the OWA URL but with the /ecp subdirectory. This isn’t usually a concern when accessed via the internal corporate network but administrators get nervous when it is available via the internet. With this recent request, I thought it would be a good idea use it as an example to demonstrate what the configuration would look like.

**Note that this post is not endorsing the idea to block the ECP URL because I am unsure as to whether Exchange 2016 fully supports this without breaking any features for regular users as it did in Exchange 2013. There has been several forum posts that appear to suggest it is ok but I’ll leave it up to others to decide to do it or not.

Step #1 – Create Pattern Set

Begin by creating a pattern set to match the ecp string with the following command:

add policy patset deny_ecp_url

Alternatively, you can create this via the GUI as well:

AppExpert > Pattern Sets > Add

Open the properties of the newly created Pattern Set, click on the Insert button and create the ecp pattern:

Step #2 – Create Rewrite Action

With the Pattern Set created, proceed with creating a Rewrite Action to replace /ecp with the root with the following command:

Manually executing the Test-Mailflow cmdlet on the servers complete without any issues.

Solution

One of the reasons why this error would be thrown is if you have entered the FQDN that represents your load balanced CAS servers for the PowerShell (Default Web Site) Internal URL field:

Changing the field as shown in the screenshot above causes the script to connect to the virtual name to execute PowerShell cmdlets, which is what causes the following error which complains that the the virtual name does not map to a computer account in Active Directory to be thrown:

Mail flow test: WARNING: Connecting to remote server webmail.contoso.com failed with the following error message: WinRM cannotprocess the request. The following error occurred while using Kerberos authentication: Cannot find the computerwebmail.contoso.com. Verify that the computer exists on the network and that the name provided is spelledcorrectly.

To correct the issue, change the Internal URL field back to the internal FQDN name of the server: